Thursday, August 18, 2016

Once again, opmsg is ahead of the curve, by introducingwhat I will call cross-domain ECDH kex.The idea behind it is straight forward and obvious,so that I wouldn't claim to be the first who invented it.Digging the interweb a bit, didnt show quick results,so I named it cross-domain ECDH without walking to thelibrary to do more in-depth research about someone elsehaving different names for it. If there is, feel freeto point me to it.ECDH is a neat way to do your Key Exchange (Kex). It hassmall footprint in speed and size. Its even fast enoughto be done multiple times in a row, without the user reallynoticing a slowdown. The drawback of ECDH is that the so calleddomain parameters for the curves are chosen by an entitythat you have to trust. Trust by means of: Nobody in thecommittee responsible for choosing the parameters wouldintroduce so called Nobody-But-Us (NOBUS) bits, thatwould weaken the resulting ECDH Kex secret.There are different ways to put trust into the domainparameters, like using some kind of sane and "well-known"seedings and algorithms to generate "reproducable" parameters(like Brainpool is doing). Other curve designers don't mind aboutit at all and resemble eat-or-die mentality. This leadsto some kind of flame-war and bashing between the differentcults of ECC evangelists. Nobody knows anything about the NOBUS,but everyone believes the opposite curve has backdoored parameters.opmsg puts an end to this war, by allowing users tospecify more than one curve to do the Kex with. Upto three curves may be specified. The master secret is derivedfrom the multiple distinct ECDH Kex's which are made. The idea is that in case there are NOBUS backdoors - even within every single curve -the different backdooring parties would not work togetherand share their NOBUS knowledge to each other. They wontshare their knowledge, because a potential NOBUS insidea NIST curve would be the holy grail that they are neverever show to someone else, and in particular not to theparty who, lets say, put their NOBUS into the GOST curves.So, even if each curve that you chose to do your ECDH Kexwould be weak, the overall cross-domain ECDH Kex is secure.As long as you really choose your curves cross-domain, e.g.not three of the NIST curves in a row.This feature is experimental. Please refer to the chapterin the README which explains the particular config options.If you are not in this curve flame war, you don't need tochange anything at all. Its all in the compatibility-mixand you can just as work as before, if you prefer.